fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Size

2.6MB
MD5

5499a17af6f5fa676c67767d371d5726
SHA1

bec05aa2bcf12f94ba03facc1538d7b774cfbc20
SHA256

fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f
SHA512

2fc31691f4f23858ba7d8cf11bf2bfda46c6f15d0420694a06f9c4d637fc7c7e417acc8cd991d61e7cfb44afa79c5ce91a14f6a143e3ce78d3c3b30600ad6873
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp3b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	locadob.exe
2596	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXG\\aoptisys.exe"	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Q\\bodasys.exe"	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe
2372	locadob.exe
2596	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2372	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	30
PID 2088 wrote to memory of 2372	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	30
PID 2088 wrote to memory of 2372	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	30
PID 2088 wrote to memory of 2372	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	30
PID 2088 wrote to memory of 2596	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	31
PID 2088 wrote to memory of 2596	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	31
PID 2088 wrote to memory of 2596	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	31
PID 2088 wrote to memory of 2596	2088	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	31

C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
"C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\FilesXG\aoptisys.exe
  C:\FilesXG\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesXG\aoptisys.exe

Filesize
2.6MB

MD5
f2f5b36f781c4129f203503af60ed849

SHA1
b8c85b89026535596469c18f386b36d9da5120f8

SHA256
c5b717b6c8d4f6f0d50b10977c840e292024841405741bdb90500e290bac0e83

SHA512
7348a0e2bb9dc72b29ecb07be482d7747bd32f3006339ef1f9c64a325b94ad8496ccfae5471a63c25409d33285afa180285ba37dbfcb89145f778ed39503e5c4

Download Submit
C:\LabZ4Q\bodasys.exe

Filesize
2.6MB

MD5
c4a0f80c23344b5dc62fcddedeaeaeb1

SHA1
1e254a4a6cf30597e093a85e1318a0a58526efe9

SHA256
c6d0832fe97fce870fbfb4c7e94e7a1d607d59f4d061b9f625f042d4bd69ddc9

SHA512
c82ed8d2afc3fbbbec0ac207432d3530f4bbd7132e4637f449bf77da7dabc9abb24b5e605c3cc9857f3d73928157de7c5a0fc67386431d45b38d89d4009a2ceb

Download Submit
C:\LabZ4Q\bodasys.exe

Filesize
2.6MB

MD5
41371fee59a143eb0deb1001728eef53

SHA1
91db00eeb9425af63df3110a12a2d7fed511a336

SHA256
f6f41a3b457f11bc9cba219344127f78b90e04e273f1334936fa2a4a2daa5a83

SHA512
18707190d833f7dd4ec469211efe58259f943d2a5f59e6721598dbfa959f50ef1d6ed8196395dd36694c01a233346fc0b0736a7c62b5d760ce075d493082ad6e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
372e577a94efbed36603bbac803b092b

SHA1
c310201cc8b43930659f5757c81e6cd5f0f0c2cf

SHA256
2cbca2eb94e76b372e39dd12a75e007bbc5914b6a1f1d15b90a56ca3d5850245

SHA512
556355d059b82086d040cd647888e5dcb1cad511bedb23bf68f0b39a3f81445c76340dc31f236b4c7fc509dd0637d177d6971eb4ca0c87f898fb88adb4c3809b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
58dfb79221dab3c79dfa3fcc8453c9e1

SHA1
d849c7751c6e4399512a40cfbd794c951db994e1

SHA256
0743161dc5034db1eda92b1f3a2e66a7df808e1d2da465c4f5e58aaff6e4a0e1

SHA512
784c05f73269e0d971768f9b4ffd20e60437cdd684e3c76da3f9fa36868a28ccb02f222c47daa8fc65542956bbd52edcd37855ea3497aeefaa47442b4b35f676

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
48be01425063a086c53cf35586995859

SHA1
b911359adced3bfeb7ab27c93eea5d83c4c76fb7

SHA256
e73edab6b1e4c4f795cd8d2cce0877345d790030ac5dcb68133e025692610414

SHA512
309f2a0ae5e087599ca8133564b706c3f7cc5601a5cdd4d9b543df4fd5491cf4362a43b018f6ea4d605e3856fcf414d6a5d114f567ae68d8f48e18219e232550

Download Submit